Timely Patching Reduces System Compromises


By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center


Patching is the process of applying available security updates to an operating system, website, software, hardware, or plugin. It is also among the most critical cybersecurity controls you can implement to protect against system compromise. In this blog post, we'll explain the importance of patching and provide recommendations on how you can timely patch your systems to reduce the potential for system compromise.

The Importance of Patching Amid Growing Threats

Patches and security updates fix vulnerabilities that cyber threat actors (CTAs) can leverage to gain access to information systems or a network. Once vulnerabilities are publicly known, CTAs can use that information for malicious purposes. It is therefore essential to patch your vulnerable systems as soon as you can after the vendor announces fixes for them.

As shown in the graph below, CTAs continue to leverage vulnerability exploits in their malicious campaigns. These exploits enable CTAs to obfuscate their presence and obtain easy access to a target system.

Exploitation Activity chart

(Source: Telemetry collected by the Multi-State Information Sharing and Analysis Center)

The Log4j vulnerabilities are a prime example of how patching can help keep your organization safe and prevent exploitation. News of the first Log4j vulnerability came out on December 9, 2021, with additional vulnerabilities announced on December 14 and 17. Vendors quickly made the patches available to prevent exploitation. Shortly after their release and organizations' implementation of those patches, Albert Intrusion Detection sensor detections showed a decrease in the exploitation of these vulnerabilities, as shown in the graph below.

Log4j Exploitation Activity chart

Ongoing Rise of Zero-Day Vulnerabilities

In addition to CTAs exploiting known vulnerabilities, CTAs are increasingly exploiting zero-day vulnerabilities. A zero-day exploit is a cyber attack that targets a vulnerability in a system before developers or members of the public are aware the vulnerability exists. Therefore, defenders had “zero days” to prepare for it.

It is extremely difficult for defenders to prevent exploits against these vulnerabilities because they are known only to the CTAs who discovered them. CTAs identify these vulnerabilities by systematically researching and probing systems they suspect might have an undiscovered weakness.

Upon discovery, a CTA can begin designing an exploit to gain access to the vulnerable systems. Alternatively, they can either share or sell a working exploit for the vulnerability to other CTAs. There are multiple online markets where CTAs sell and bid for the newest zero-day vulnerabilities. Once developers become aware of a vulnerability, they must act quickly to notify users and fix the issue by pushing out a patch.

According to research from Mandiant, zero-day exploits have consistently increased over the past 10 years, as shown in the graph below. Despite several years where the trend spiked or diminished, the increase in zero-day vulnerabilities represents an overall trend that we assess is likely to continue. Some notable zero-days exploited by CTAs include PrintNightmare, Apache Log4j zero-days from 2021, Microsoft Exchange Server zero-day from 2022, and the Papercut and MOVEit zero-days from 2023.

Zero-day exploits have consistently increase chart

How to Uphold Timely Patching in Your Organization

The Multi-State Information Sharing and Analysis Center (MS-ISAC) recommends developing a Continuous Vulnerability Management program in accordance with Control 7 of the CIS Critical Security Controls (CIS Controls). Through this program, you can continuously assess and track vulnerabilities on all enterprise assets within your infrastructure to remediate and minimize the window of opportunity for attackers.

Additionally, we recommend that you monitor public and private industry sources like CISA’s Known Exploited Vulnerabilities Catalog for new threat and vulnerability information or to identify available patches. Through ongoing monitoring of this information, you will help your organization identify which systems are vulnerable and download the patch from an authoritative source. At that point, you can then test and verify the patch in the operating environment to ensure there are no interruptions or negative impacts to your services and systems before applying the patch to all devices.

Ready to prioritize timely patching in your organization?